Springfield Armory website hacked

ATCclears · Dec 5, 2016

Quick update. I have not received a response from Springfield Armory and their online store website still has the security risk (attack vector).

ATCclears · Dec 5, 2016

...and their warranty registration site has a similar security problem (attack vector).

www.springfieldwarranty.com

ATCclears · Dec 13, 2016

Update. No contact from Springfield Armory, and both their online store and warranty registration websites are still at risk as of now (Dec 13, 1:00pm PT).

Hawaiian · Dec 13, 2016

It may well be Russia. My wife has a Portland real estate web site. 9% of the hits are from Russia. There is no financial or person data on the site, so they move on. But their computer programs are scanning Google and other search engines listed websites.

ATCclears · Dec 18, 2016

Update. No reply or concern from Springfield Armory after attempting to contact them. The attack vectors (ie., security risks) still exist for both their online store and their warranty registration websites as December 18, 7:00am PT.
Springfield Armory Web Store - Springfield Armory Web Store
Springfield Armory® Warranty Site

The attack vector for both websites is an unacceptable SSL implementation. In non-technical terms, even though it appears they are encrypting the network traffic between their web servers and your browser, they are failing to do it properly and the problems are in the security configuration of their web servers. Given this fundamental "miss" it also makes me wonder what else is improperly configured or improperly secured beyond the web servers.

Anyone can use the free web service from Qualys SSL Labs to run a test on a public website. Here are the results for each of the Springfield Armory websites:
SSL Server Test: store.springfield-armory.com (Powered by Qualys SSL Labs)
SSL Server Test: www.springfieldwarranty.com (Powered by Qualys SSL Labs)

If the result appears immediately it means the test was recently run by someone and it is still in cache. If not, then give Qualys' free service about 90 seconds to run the tests again. You may also click on the "Clear Cache" link and have Qualys run the tests again.

I've been doing enterprise IT for almost 30 years and I run my own SaaS/cloud software company on the side, so I'm not exaggerating the risk to your personal information. Springfield Armory has left the door wide open for a hack on both of these websites. It's like leaving your vehicle parked in a bad area with the doors unlocked and the window rolled down - you're asking for it...

I like Springfield Armory and I own several of their products, but their IT security and lack of response is pathetic. I say this because I was personally notified of a previous data breach between October 3, 2015 and October 9, 2016.

Use their websites at your own risk...

As an aside, if you're unsure about a website then run it through the free service from Qualys.
SSL Server Test (Powered by Qualys SSL Labs)

Hawaiian · Dec 18, 2016

Thanks for the link. I ran my wife's website and got the report. I do not understand very much of it, but hopefully my son will. I sent the results to him.

ATCclears · Dec 18, 2016

If your wife's website runs on the Apache web server, PM me and I'll send you a checklist of things to review/change in the Apache configuration.

ZA_Survivalist · Dec 18, 2016

ATCclears said:
I received a letter from Springfield Armory - their website was hacked, and the intruder may have had continued access for the period between October 3, 2015 and October 9, 2016.

So if you purchased something from their website, keep an eye on your credit card(s) and personal information...

This is actually a huge issue in the firearms industry, well and online retail in general. It seems like at least 3 of the sites Ive purchased from have had data breaching recently.

Diamondback · Dec 20, 2016

Thanks for the link!

Sites I've dealt with...
GunMagWarehouse (susp. ID theft) FAIL SSL Server Test: gunmagwarehouse.com (Powered by Qualys SSL Labs)
Palmetto A- SSL Server Test (Powered by Qualys SSL Labs)
White Tiger Tactical A SSL Server Test (Powered by Qualys SSL Labs)
Mako Group B SSL Server Test (Powered by Qualys SSL Labs)
DSArms A SSL Server Test (Powered by Qualys SSL Labs)
Primary Arms (unable to test)
CBC Industries A SSL Server Test (Powered by Qualys SSL Labs)

ATCclears · Dec 21, 2016

@Diamondback thanks. For Primary Arms, it probably means that they are not even using SSL (ie., encrypting the traffic between your browser and their web server(s)), or it's possible their store or checkout process uses a different website name.

Diamondback · Dec 21, 2016

I think they use Shopify or a similar back-end.

Any idea how to put together a Fire Mission letting GMW know about their hack-bait system in a legal way they can't ignore?

EDIT: How's this look for a draft email?
"Your security review didn't fix the problems with your site being breached--I placed an order through you that got popped with my card info stolen, but my bank caught it before they could do anything.

You might want to take a look at this page: SSL Server Test: gunmagwarehouse.com (Powered by Qualys SSL Labs) because as long as you're compromised at the Secure Socket Layer level anything else you do is just window-dressing and the major vulnerability remains.

When you fix this, I'll consider coming back as a customer; until then I simply cannot afford the risk."

ATCclears · Dec 21, 2016

@Diamondback I think that is a very honest email to the vendor.

Diamondback · Dec 21, 2016

@ATCclears Thanks, and sent--will report any followup.

ATCclears · Dec 24, 2016

I sent an email to Springfield Armory's legal department. We'll see if they respond or care...

Diamondback · Dec 24, 2016

@ATCclears It seems to me that failure to remedy a security breach after being advised of it would make them legally liable for the consequences... I'm remembering phrases like "Reckless Disregard," "Depraved Indifference"... anybody else wanna pile on with other flavors of Nutsack In Wringer Ambulance Chasing Fun?

ATCclears · Dec 24, 2016

I'm trying to informally help them out, but yes one has to wonder...

Diamondback · Dec 24, 2016

So am I... but the point is they need to also see the vulnerabilities they open themselves up to not just in e-commerce but in the courtroom, and pointing out the myriad ways they've invited some unscrupulous hack to pursue crippling punitives is part of that. IIRC, cybercrime is not covered in PLCA...

Diamondback · Dec 30, 2016

Update: Still no response from GMW. I find it curious that they can pump out floods of ads every day but not respond beyond "a ticket has been opened" to a MAJOR security-breach...

ATCclears · Feb 6, 2017

Update. No improvements to the security of both the Springfield online Store and the Springfield Warranty Registration websites. Recommend that you do NOT send your personal information to either website until Springfield resolves these problems.

SSL Server Test: store.springfield-armory.com (Powered by Qualys SSL Labs)

SSL Server Test (Powered by Qualys SSL Labs)

Diamondback · Feb 6, 2017

Update on my own: GMW still bent over with ankles grabbed, and closed my ticket without response. This leads me to wonder if they're In On It...

Join the #1 community for gun owners of the Northwest

Free Membership Benefits

Springfield Armory website hacked

ATCclears

ATCclears

ATCclears

Hawaiian

ATCclears

Hawaiian

ATCclears

ZA_Survivalist

Diamondback

ATCclears

Diamondback

ATCclears

Diamondback

ATCclears

Diamondback

ATCclears

Diamondback

Diamondback

ATCclears

Diamondback

Similar threads

New Posts

Upcoming Events

New Resource Reviews

New Classified Ads

Support Our Community

Community Stats